mahavirj
commented
5 months ago @mrdeep1
- Can you please take a look at this PR?
- When can we expect new bugfix release of libcoap containing the fix for
CVE-2024-0962?
Closed hmalpani closed 5 months ago
mahavirj
commented
5 months ago @mrdeep1
CVE-2024-0962? 
mrdeep1
commented
5 months ago When can we expect new bugfix release of libcoap containing the fix for CVE-2024-0962?
There is a tagged libcoap release that has this fix in - which I can use to update idf-extra-components. In the near term, we are planning on getting out a Release Candidate which covers this CVE with other updates as well which I will be putting into idf-extra-components.
Do you want me to update the code with the tagged fix?
mahavirj
commented
5 months ago When can we expect new bugfix release of libcoap containing the fix for CVE-2024-0962?
There is a tagged libcoap release that has this fix in - which I can use to update idf-extra-components. In the near term, we are planning on getting out a Release Candidate which covers this CVE with other updates as well which I will be putting into idf-extra-components.
Do you want me to update the code with the tagged fix?
I thought upgrade to official 4.3.5 would be a cleaner solution. It will also help to align our component version.
At the moment, I see only 4.3.4a tag here https://github.com/obgm/libcoap/tags. If we plan to upgrade to this tag, then I am not sure what will be the corresponding IDF component version.
mrdeep1
commented
5 months ago Yes, 4.3.4a contains the CVE fix. I had assumed that coap/idf_component.yml version would become "4.3.4~2", but I guess something else might not like 4.3.4a.
Certainly4.3.5 would be cleaner.
Add config option to enable/disable Q-Block option
Fixes: https://github.com/espressif/idf-extra-components/issues/324